Related Stories

  • Researcher tracks down compromised ICS systems
    SCADA and industrial control systems’ security has been much questioned in recent months. Now one researcher shows how easy it is to find ICS systems that have already been compromised, while another warns Siemens that just fixing SCADA vulnerabilities is a treadmill, not a solution.
  • SCADA Security Inertia
    It’s no secret that SCADA systems are vulnerable to compromise, and the tools to mitigate many of the vulnerabilities are within reach. Yet, as Fred Donovan discovers, the vendors that supply these systems are often slow to react to the security issues
  • The RuggedCom SCADA OS is vulnerable
    Last Friday security researcher Justin Clarke claimed to have discovered a serious flaw in the operating system used by SCADA systems within the critical infrastructure. Now the DHS Industrial Control Systems CERT (ICS-CERT) has issued a related alert.
  • Siemens to plug SCADA holes early next year
    Siemens expects to issue a patch in January to fix security holes in its supervisory control and data acquisition (SCADA) products that control industrial automation systems.
  • Russian hackers behind first successful US SCADA system attack
    Russian hackers are reported to have been behind an attack on a water utility station in Springfield, Illinois, earlier this month, destroying a pump after gaining unauthorized access to the system.

Top 5 Stories


Critical infrastructure at risk from SCADA vulnerabilities

27 November 2012

SCADA software, used for industrial control mechanisms in utilities, airports, nuclear facilities, manufacturing plants and the like, is increasingly a target for hackers looking to exploit what appear to be growing numbers of vulnerabilities – giving rise to fears that critical infrastructure may be at risk.

“With SCADA software being primarily responsible for critical operations and national infrastructures, an attack of this nature could not only result in the loss of data, but can also cause damage to physical assets and in certain scenarios, the loss of life,” said Ross Brewer, vice president and managing director International Markets at LogRhythm, in an email to Infosecurity. “As such it’s no surprise that arguably most notorious cyber attacks of the past couple of years – such as the Stuxnet and Flame viruses – have been SCADA breaches.”

Nonetheless, they appear to be easy pickings. On Thanksgiving, Aaron Portnoy, the vice president of research at Exodus Intelligence, was able to uncover no fewer than 23 vulnerabilities in SCADA systems in just a few hours. The first exploitable zero-day took a mere seven minutes to discover. “I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible,” he explained.

It was, he added, ridiculously simple, indicating a decided lack of up-to-date security and coding.

“For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison,” Portnoy said, noting that he reported all of the vulnerabilities to ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed. “The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself.”

Fundamentally, SCADA systems were never really designed to be secure, Brewer said. “At least not from an IT perspective,” he noted. “With much of existing national infrastructure developed prior to the rise of the Internet, the focus of control system security is often limited to physical assets. This latest discovery of a host of SCADA vulnerabilities should therefore make it clear to organizations and governments alike that lax security is never an option and they must urgently re-examine the tools that are currently defending our control systems.”

For now, cyber attacks on SCADA systems are rare when compared to the number of incidents involving web applications or enterprise IT networks, but the threat they pose is disproportionately severe. As such, security must be updated. “Unfortunately, traditional perimeter cybersecurity defenses such as anti-virus software are no longer enough to ensure protection – the Flame virus, for example, avoided detection from 43 different anti-virus tools and took over two years to detect,” Brewer said.

What’s required is continuous monitoring of all log data generated by IT systems, so that organizations can automatically baseline normal, day-to-day activity across systems and multiple dimensions of IT infrastructure, he recommended. This would enable the real-time detection, response and investigative analysis of even the most sophisticated attacks that go against this definition of normal behavior.

“In order to subvert this approach, hackers would have to simultaneously break into their target SCADA systems, and into the log management system to modify specifically the pieces they were looking for – a very difficult if not impossible task,” Brewer said. “With the increasing computerization of critical infrastructure services, only by adding these additional levels of protection can anomalies be identified in real-time and cyber threats be responded to.”

This article is featured in:
Application Security  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×